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recognized by the interested party as authors and designers of the MQQ-SIG digital signature scheme. 
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2 Description of the MQQ-SIG digital signature scheme 



A generic description for our scheme can be expressed as a | truncation of a typical multivariate 
quadratic system: S o P' o S' : {0, l} n — > {0, l} n where S' = S • x + v (i.e. S' is a bijective afEne 
transformation), S is a nonsingular linear transformation, and P' is a bijective multivariate quadratic 
mapping on {0, l} n . 

The bijective multivariate quadratic mapping P' : {0, l} n — > {0, l} n is defined in Table[H 



Bijective multivariate quadratic mapping P (x) 



Input: A vector x — (jfi , • ■ - , jfn) of n linear Boolean functions of n variables. We implicitly 
suppose that a multivariate quadratic quasigroup * is previously defined, and that n — 32fc, 
k £ {5, 6, 7, 8} is also previously determined. 

Output: 8 linear expressions P' i {x\, . . . ,x n ),i = 1, . . . , 8 and n — 8 multivariate quadratic 
polynomials (sci, . . . ,x n ),i — 9, . . . , n 

1. Represent a vector x — (fi , . . . , f n ) of n linear Boolean functions of n variables x\ , . . . , x n , as 
a string x — X\ . . . Xn where Xi arc vectors of dimension 8; 

2. Compute y — Y\ . . . Yn where: Y\ — X\ , V^ + i — Xj * Xj^-i, for even j — 2, 4, . . ., and 
Yj + i — Xj^i * Xj , for odd j = 3, 5, . . . 

3. Output: y. 

Table 1. Definition of the bijective multivariate quadratic mapping P' : {0, l} n — > {0, 1} 



The algorithm for generating the public and private key is defined in the Tabled 



Algorithm for generating Public and Private key for the MQQ-SIG scheme 



Input: Integer n, where n — 32 X k and k £ {5, 6, 7, 8}. 



Output: Public key P: n — ^ multivariate quadratic polynomials Pi(x± : . . . , x n ) : % = 1 + x , . . . , n, 
Private key: Two permutations eri and <tk of the numbers {1, . . . , n}, and 81 bytes for encoding 
a quasigroup * . 



1. Generate an MQQ * according to equations Q ■ ■ ■ ©. 

2. Generate a nonsingular n X n Boolean matrix S and afHne transformation S according to 
equations {5j, .... ]1H . 

3. Compute y — S(P'(S'(x))), where x — (#1, . . . , xc n ). 

4. Output: The public key is y as n — -j multivariate quadratic polynomials P%(xi, . . . ,x n ) i — 
1 + , . . . , n, and the private key is the tuple (eri , ok , *)■ 

Table 2. Generating the public and private key 



The algorithm for signing by the private key (0*1,(7x5 *) is defined in Table [3j 



Algorithm for digital signature with the private key (cti, crj(, *) 



Input: A document M to be signed. 



Output: A signature sig — (xi, . . . , x n ). 



1. Compute y — {y\. . . . ,y n ) — H(M)\ n , where M is the message to be signed, H() is a standard- 
ized cryptographic hash function such as SHA-1, or SHA-2, with a hash output of not less than n 
bits. The notation H(Al)\ n denotes the least significant n bits from the hash output H(A1). 

2. Set y' = S _1 (y). 

3. Represent y as y' = Y± . . . Yn where Yi arc Boolean vectors of dimension 8. 

4. By using the left and right parastrophes \ and / of the quasigroup * compute x' — Xi . ■ ■ X n , 
such that: X± — Y± , Xj — Xj — i \ Yj , for even j — 2,4, . . ., and Xj — Yj / Xj — i , for odd j — 3, 5, ... . 

5. Compute x — S — 1 (x') + v — (^l) ■ ■ ■ > &n)- 

6. The MQQ-SIG digital signature of the document M is the vector sig = {xi , . . . , x n ). 



Table 3. Digital signing 



The algorithm for signature verification with the public key P = {Pi (x± , . . . ,x n ) \ i = 1+ §, . . . , n} 
is given in Table [4] 



Algorithm for signature verification with a public key P — {Pi{xi, . . . , x n ) | i = 1 + ~, . .. , n} 

Input: A document M and its signature sig — (2:1, . . . , x n ). 
Output: TRUE or FALSE. 

1. Compute y — (y 1 ^n,...,y n ) — H(M)\ n _Ti, where M is the signed message, H() is a stan- 
dardized cryptographic hash function such as SHA-1, or SHA-2, with a hash output of not less 
than n bits, and the notation H(M)\ rl _ji denotes the least significant n — ^ bits from the hash 

output H(M). 

2. Compute z — (z 1+ n , . . . , z n ) — P(sig). 

3. If z = y then return TRUE, else return FALSE. 

Table 4. Digital verification 



3 Multivariate Quadratic Quasigroups 

A Multivariate Quadratic Quasigroup (MQQ) * of order 2 d used in this version of MQQ-SIG can be 
described shortly by the following expression: 

x * y = B • U(x) • A 2 • y + B • Ai • x + c (1) 

where x = [x\, . . . ,Xd), y = (j/i, • ■ • ,yd), the matrices Ai, A 2 and B are nonsingular in GF(2), of 
size d x d, the vector c is a random d-dimensional vector with elements in GF(2) and all of them are 
generated by a uniformly random process. The matrix U(x) is an upper triangular matrix with all 
diagonal elements equal to 1, and the elements above the main diagonal are linear expressions of the 
variables of x = (xi, . . . , Xd). It is computed by the following expression: 

d-l 

U(x)=J + ^U i -Ai-x, (2) 

i=i 

where the matrices Ui have all elements except the elements in the rows from {1, . . . , i] that are 
strictly above the main diagonal. Those elements can be either or 1. 
Once we have a multivariate quadratic quasigroup 

* vv (x!, . . . ,x d ,yi, . . . , yd) = (fi(xi,..., x d , yi,..., yd), ■-, fd(%i, ■ ■ ■ ,x d ,yi, ■ ■ ■ , yd)) 

we will be interested in those quasigroups that will satisfy the following conditions: 

Vi e {l,...,d},Rank(B fi ) > 2d ~ 4, (3a) 
3j e{l,...,d}, Rank(B fi ) = 2d - 2 (3b) 

where matrices B f f are 2d x 2d Boolean matrices defined from the expressions fi as 

B / s = [bj,k], b 3id+k = bd+k,j = 1, iff xjy k is a term in fi. (4) 

Proposition 1. For d — 8, a multivariate quadratic quasigroup that satisfies the conditions (QJ), . . . , 
(2]) can be encoded in a unique way with 81 bytes. 



4 Nonsingular Boolean matrices in MQQ-SIG 



In MQQ-SIG the nonsingular matrices S are defined by the following expression: 

K 



(5) 



i=i 



where I ai , i = {1, 2, . . . , K} are permutation matrices of size n — 32 x k and where permutations at 
are permutations on n elements. They are defined by the following expressions: 



K 



k , if k is odd, 
fc + 1 , if k is even 



<7i — random permutation on {1, 2, . . . n} satisfying the condition ([8]), 

02 = RotateLeft(ai, 32) satisfying the condition ©, 

(T.3 = RotateLeft(<j 2 ,6^) satisfying the condition ©, 

(Tj = RotateLeft{<jj-i, 32), for j = 4, . . . , K — 1, satisfying the condition 

<7 — random permutation on {1, 2, ... n} satisfying the condition ([5]) 



1 2 

» » 



8 9 

» » 



n — 1 n 

5 Tl-l 6 ™ 



(") „(") 



,4^}fl{l,2,...,8} = 



(6) 



(7) 



(8) 



where RotateLeft^a, I) denotes a permutation obtained from the permutation a by rotating it to the 
left for I positions. 

We require an additional condition to be fulfilled by the permutations o\ , . . . , ok ■ 



L 



&K-1 



is a Latin Rectangle. 



(9) 



Once we have a nonsingular matrix S 1 we will compute its inverse obtaining 

s = (s- 1 )- 1 

and from there we will obtain the affine transformation 

S'(x) = S - x + v, 



(10) 



where the vector v is n-dimensional Boolean vector defined from the values of the permutation cjk 
by the following expression: 



64+fil 



mod 



mod 2. 



11) 



v = V 2 , ■ ■ -,v n ), where v l = 

In words: we construct the bits of the vector v by taking the four least significant bits of the values 
SggP, • ■ • , $64+11 in the permutation ax- 

Proposition 2. The linear transformation S _1 can be encoded in a unique way with 2n bytes. 



5 Characteristics of the MQQ-SIG digital signature scheme 



The main characteristics of our MQQ-SIG digital signature scheme can be briefly summarized as 
follows: 

• there is no message expansion; 

• the length of the signature is n bits where (n = 160, 192, 224 or 256); 

• its conjectured security level is 2^; 

• its verification speed is comparable to the speed of other multivariate quadratic PKCs; 

• in software its signing speed is in the range of 500-5,000 times faster than RSA and ECC 
schemes; 

• in hardware its signing or verification speed is more than 10,000 times faster than RSA and 
ECC schemes; 

• it is also well suited for producing short signatures in smart cards and RFIDs; 
5.1 The size of the public and the private key 

The size of the public key is 0.75 x n x (1 + " 2 ) bits. The private key of our scheme is the tuple 
(a 1, ok, *)• The corresponding memory size needed for storage of the private key is 2n + 81 bytes. In 
Table [5] we give the size of the public key (in KBytes) and the size of the private key (in bytes) for 
n G {160,192,224,256}. 



n 



Size of the 
public key (KBytes) 



Size of the 
private key (bytes) 



160 
192 
224 
256 



188.69 
325.71 
516.82 
771.02 



401 

465 
529 
593 



Table 5. Memory size in KBytes for the public key and in bytes for the private key 



